Cybersecurity Medical Devices

Artificial Intelligence (AI), General Data Protection Regulation (GDPR) and Cybersecurity: 10 Misconceptions about Medical Device Software

Artificial Intelligence (AI), General Data Protection Regulation (GDPR) and Cybersecurity: 10 Misconceptions about Medical Device Software

 

Medical Device Software (MDSW) is a growing, fast-evolving industry. However, manufacturers often must face a regulatory framework which does not evolve at the same speed. Regulation for medical devices is restrictive, since it needs to guarantee the safety of users (e.g. Health Care Professionals) and the target population (e.g. patients). Moreover, it has experienced a significant increase in requirements with the approval of the new regulation MDR 2017/745. Manufacturers of MDSW who have never placed a medical device on the market, or who did it under the former Medical Device Directive (93/42/EEC MDD) might have some misconceptions about the process. The purpose of this article is to address some of the most common (and not always right) assumptions and provide useful and truthful information about the process of reaching the conformity assessment under MDR, for successfully placing an MDSW on the market. 

 

Cybersecurity Medical Devices

Here are 10 common misconceptions about Medical Device Software, and their respective clarification:

 

1. MDSW is classified as low risk under the MDR 2017/745. 

False! On the contrary, only a small portion of MDSW is classified with the lowest risk class (class I) according to the new regulation (MDR2017/745 annex VIII) and related guideline (MDCG 2019-11). To classify a Medical Device Software, two main aspects must be taken into account: 1) the severity of the state of the healthcare situation or patient condition and 2) the significance of the information provided by the software to the healthcare situation related to diagnosis/therapy. After taking these factors into consideration, most MDSW is classified in higher classes, from Class IIa to Class III, which entails increased regulatory requirements. 

 

2. Agile development practice and IEC 62304 requirements cannot co-exist because they rely on fundamentally conflicting principles. 

Agile methodologies (i.e. SCRUM) are compatible with the standard for the development of Medical Device Software. Actually, there exists a Technical Information Report providing guidance on the use of Agile practices in the development of medical device software (AAMI TIR45:2012). It is up to the manufacturer to decide the Software Development Lifecycle (SDLC) of the product. However, there are multiple challenges that a manufacturer must face, especially in terms of procedures (alignment with the Quality Management System), validation of tools and documentation.

 

3. I have developed a Machine Learning model that underwent thorough testing and showed excellent technical performance, so I should be able to access the market in a few months. 

All MDSW embedding AI must comply with applicable MDR 2017/745 requirements prior to being placed on the market. This means that the processes and the timing to access the market are not accelerated compared to other medical devices. In addition to the general regulation, there are some relevant specific considerations for the Clinical Evaluation of Medical Device Software as per MDCG 2020-1: For any MDSW (including AI-based MDSW), Clinical Evaluation should demonstrate the valid clinical association/scientific validity, technical performance, and clinical performance. This guidance on clinical evaluation of MDSW provides a framework for the determination of the appropriate level of clinical evidence required for MDSW. The provisions of this guidance document should be taken into consideration from the early stages of software development.

 

4. I can place my AI-based Software Medical device on the market if I have trained, tested and validated it with datasets coming from open access repositories.  

It depends. It is important to verify that sufficient information is available on the origin of the clinical data. Multiple requirements might be fulfilled to ensure the validity of the protocol used to collect the data as well as the compliance of the data collection methods with GDPR: Was the study run according to the Good Clinical Practices and standards? Was GDPR followed? Was the data collection performed by certified professionals? It is also important to adopt good machine learning practices during model training, testing and validation, e.g., that training and testing datasets should be independent. For more information, check these guiding principles for Good Machine Learning Practices. 

 

5. If my MDSW fails to ensure personal data protection, it is not considered as harm. 

According to the MDR 2017/745, all parties involved in its application shall respect the confidentiality of information and data obtained. Even if the failure of the software does not result in a lesion or physical injury, disclosure of personal yields infringement penalties according to MDR2017/745 and GDPR Regulation (EU) 2016/679. Therefore, data processing, involving transmission over a network or storage needs to be properly tackled by design strategies (e.g. minimum data collection, pseudo anonymisation) and complemented with ICT techniques (encryption, Secure layers, etc.). To conduct Risk management is a “must”, and any residual risk must be mitigated as much as possible.

6. If my device is not storing data, I do not need to comply with GDPR.

Even if the device does not store data, it still might be, for instance, linked to a website that collects some personal information related to the user or the practitioner. It is important to conduct an analysis of the whole lifecycle of the product and identify which processes need special attention as per the GDPR requirements. 

 

7. If I am working with anonymised data, I do not need to comply with GDPR. 

That is true if data is completely anonymised. However, most manufacturers rather work with pseudo-anonymised data, meaning that there is a “key” that can be used to link back the clinical data with the personal information of the patient. In this case, the manufacturer needs to be compliant with GDPR regulations. 

 

8. I can keep the collected data for as long as I want. 

Similarly, that depends on whether the collected data is fully anonymised. If that is the case, there are no time restrictions for its storage, but if the data is pseudo-anonymised, there are restrictions. GDPR regulation does not establish specific time windows within which the storage is allowed, instead, it mentions that “personal data must be kept in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of the processing”. 

 

9. If I use a cloud server, I do not need to worry about cybersecurity because the service provider takes care of it. 

Be careful, most cloud servers are not specifically designed to host confidential data or clinical data. When choosing a cloud server for such purposes, it is good to select an ISO 27001 certified provider. That means that the provider has a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system. However, be proactive! Use all relevant information sources (Common Vulnerabilities and Exposures (CVE) for vulnerability monitoring, testing tools such as Trivy, Shodan, OWASP, etc.), and monitor all processes concerning maintenance and infrastructure via health checks.  

 

10. If the Software Medical Device is a standalone software intended to be used in a host, I do not need to take precautions on cybersecurity. 

False! MDR 2017/745 requires manufacturers to foresee possible threats caused by misuse of their device and to take actions to prevent it. Besides, MDR also requires reducing as far as possible the risk associated with the possible negative interaction between software and the IT environment the MDSW operates and interacts with. So, it is important to take cybersecurity preventive measures to identify possible threats, vulnerabilities, assets and impacts. A manufacturer needs to consider security in a holistic approach as the nature of assets is diverse: Hardware (including the infrastructure), Software (protection against most common threats such as ransomware, malware, legacy software, Software of Unknown Provenance, etc), Data (Personal Identifiable Information PII, Health Records, Systems configuration, etc), and Users (considering misuse, unauthorised users, protection of sensitive functionalities, etc). 

 

 

Placing MDSW on the market requires knowledge of a broad variety of topics, including regulation and related guidelines for clinical validation, GDPR, cybersecurity, risk management and quality control. 

 

With an extensive track record working on similar problematics, Medidee can support you with services ranging from training courses and coaching, up to completing the strategy to successfully bring your product to the market.

 

Contact us today to discuss your project! 

 

 

This article was written by Dr Nuria Gresa, Dr Stamatia Pagoulatou and Dr Gustavo Hernandez.


Webinar Clinical Evaluation Reports - Australian companies

[WEBINAR] Clinical Evaluation Reports

UPDATES RELATED TO MDR FOR AUSTRALIAN COMPANIES

 

Currently, we observe that the reviewers of Notified Bodies during MDR conformity assessments are gradually converging in terms of review practices and acceptance criterion. During this webinar, you will get an overview of the latest updates related to the preparation of clinical evaluation reports (CER).

 

Our expert Dr Jérôme Randall will guide you through:

  • The notions of “performance-based CER” and “well-established technologies”
  • Methods for scoping and launching simplified PMCF (Post Market Clinical Follow Up) studies for gathering the clinical data that may be missing.

 

WATCH THE WEBINAR

Please submit the form to watch:


Performance Evaluation Plan & Report Webinar

[WEBINAR] Performance Evaluation Plan & Report

With the implementation of the IVDR, for In Vitro Medical devices (IVD), a performance evaluation needs to be conducted to demonstrate a device’s performance and safety evidence. This performance evaluation follows a defined Performance Evaluation Plan (PEP) and is documented within a Performance Evaluation Report (PER).
 

But what exactly is a performance evaluation and what does it consist of?
What are the IVD devices which need a performance evaluation?
How do I establish the strategy for performance and safety substantiation?
When is the right moment to start with a device’s performance evaluation?
What about legacy devices?
Is there any guidance or a standard that I can use?

 

In order to avoid delays in the development and marketing approval process, it is important to understand the full workflow of an IVD’s performance evaluation. Join us for this on-demand webinar during which our expert Julianne Bobela will guide you through an IVD’s performance evaluation workflow, including:
 

· The documentation which constitutes a performance evaluation
· The type of data needed to support a device’s performance and safety
· The device-specific needs for performance evaluation, based on its group, risk class, and intended purpose
· The lifecycle of a performance evaluation and its interconnection with other documents of the technical documentation

 
ON-DEMAND PEP & PER WEBINAR



Clinical Investigation & In Vitro Diagnostic Devices Webinar

[WEBINAR] Clinical Investigation & In Vitro Diagnostic Devices

With the implementation of the IVDR, clinical performance studies on In Vitro Diagnostic Medical devices are becoming a central pillar of the device’s clinical evidence.
 

But what exactly is a clinical performance study?
Which IVD devices require collection of clinical evidence through a clinical performance study?
When is the right moment in a device’s lifecycle for conducting a clinical performance study?
How do I handle clinical data gathered through previous clinical performance study?
Is it mandatory to use the ISO 20916 standard?

 

In order to avoid delays in the marketing approval process, it is important to understand the full clinical workflow for each type of IVD device. Join us for this on-demand webinar during which our expert Julianne Bobela will guide you through an IVD’s Clinical workflow, including:
 

· The type of clinical data needed
· The device-specific needs for clinical performance studies
· The characteristics of interventional clinical performance studies
· The regulatory requirements for conducting clinical performance studies

 
ON-DEMAND CLINICAL INVESTIGATION WEBINAR
 


Techletter | Medical Device Software incorporating Artificial Intelligence:

[TECH LETTER] Medical Device Software incorporating Artificial Intelligence: Generating sufficient evidence under the MDR

GET THE TECH LETTER

 

Artificial Intelligence (AI) and Machine Learning (ML) technologies have the potential to transform medicine by aiding in the detection, diagnosis, and management of diseases. As digitalization of healthcare generates massive amounts of data, medical device manufacturers are increasingly incorporating AI technologies to automate the analysis of such data targeting to create innovative products and improve patient care. This turn towards AI-enabled medical device software (MDSW) is also evidenced by the plethora of studies evaluating the feasibility of artificial intelligence systems across a wide range of health-related indications.

 

While the interest in medical applications of AI is strong, inconsistent and incomplete collection of evidence remains one of the barriers to the assessment of the safety and performance of AI-MDSW by regulatory bodies.

According to the provisions of Article 61(1) of the MDR EU 2017/745, it is the responsibility of the manufacturer to specify and justify the level of Clinical Evidence necessary to demonstrate conformity of their medical device to the relevant General Safety and Performance Requirements (GSPRs); this level of clinical evidence should be appropriate in view of the device characteristics and intended purpose.

 

Determining the appropriate level of evidence might be challenging, especially in the case of AI-enabled MDSW which significantly differs from established medical device software in terms of technical and clinical aspects. At the same time, there is no explicit regulatory guidance for conformity assessment of AI technologies, delineating appropriate and practical evidence generation approaches.

 

Accordingly, this Technical Letter aims to provide an overview of the considerations for evaluating evidence regarding AI-MDSW.

 

GET THE TECH LETTER



Read this article on GSPR 12

[TECH LETTER] GSPR 12. Requirements for devices incorporating active substances or substances absorbed by or locally dispersed in the human body

Manufacturers producing substance-based medical products are often confronted with the question of finding which European legal framework is applicable.
 
Depending on the mode of action, their product can be regulated by the Directive 2001/83/EC relating to medicinal products for human use (MPD) or by the Medical Device Regulation 2017/745 (MDR).
 
The objective of this Downloadable Tech'letter is to support manufacturers in this process.
 



Read this article on Claims & their substantiation

[TECH LETTER] Claims and their substantiation

This Downloadable Tech'letter will discuss Article 7 of the MDR & IVDR and its implications in terms of the safety and performance data required to substantiate a given claim.
 
The claims made by a manufacturer regarding the intended use, safety, and performance of their medical device or IVD medical device, both in their form and content, indubitably play an important role toward the commercial success of their product.
 
It is therefore in the manufacturer’s interest to formulate the most appealing claims possible on the device. This can in certain cases lead to the communication of exaggerated or ambiguous claims on the device, particularly in, but not limited to, promotional material.
 
It is however imperative for manufacturers to have a clear understanding of what they are allowed or have the obligation to communicate to the user or patient regarding the intended purpose, safety, and performance of their medical devices.
 

MDR/IVDR Article 7 states in essence that device manufacturers may not communicate any claim on the device which is not adequately supported by objective data. In this context, manufacturers should early in their device development stages define plans and methods in order to capture the safety and performance data necessary to substantiate any claim they intend to make on their devices.

 

Fill out my online form

How to have a compliant Technical Documentation

[WHITE PAPER] MDR Compliant Technical Documentation

This downloadable white paper co-authored by Medidee and BSI, one of the largest Notified Bodies, gives manufacturers an interpretation on how the changes necessary for the move from compliance with the MDD/AIMDD to the MDR might be implemented, as well as practical hints on what needs to be considered in order to maintain technical documentation as stipulated by the MDR. Although being issued back in 2019, its content remains widely relevant and applicable when it comes to the constitution of an MDR compliant Technical Documentation.

 

As a Manufacturer, you may have wonder how to ensure your Technical Documentation Complies with EU Medical Device Regulation 2017/745. Indeed, before placing a medical device on the European market, manufacturers need to produce technical documentation providing evidence of conformity with the relevant legislation.

 

Technical documentation had to be in compliance with the Medical Devices Directive (MDD) 93/42/EEC or the Active Implantable Medical Devices Directive (AIMDD) 90/385/EEC (referred to as ‘MDD/AIMDD’ hereafter).

Since 26 May 2021, manufacturers willing to obtain or renew a CE certificate or to issue a Declaration of Conformity (DoC), are required to have their technical documentation compliant with the Medical Device Regulation (MDR) European Union (EU) Regulation 2017/745 (referred to as ‘MDR’ hereafter).

However, as indicated in Article 120 of the MDR, after 26 May 2021, medical devices can still be placed on the market under the provision of the MDD/AIMDD, providing the certificate was issued prior to this date, that manufacturer continues to comply with either one of the directives and that no significant changes are made in the design and intended purpose of the device.

 

But Manufacturers of such devices will also have to meet other requirements, which are detailed in Article 120 of the MDR and referenced in this white paper. The certificates issued in accordance with MDD/AIMDD after 25 May 2017 remain valid until reaching their expiry date, but in any case, they become void latest on 27 May 2024.

This necessitates changes for the manufacturers, Competent Authorities (CAs) and Notified Bodies (NBs) on how the technical documentation should be developed and handled.

 

As mentioned in the first paragraph from Annex II of the MDR, ‘the technical documentation and, if applicable, the summary thereof to be drawn up by the manufacturer shall be presented in a clear, organised, readily searchable and unambiguous manner and shall include in particular the elements listed in this Annex’.

Reading the MDR it becomes evident that the requirements for technical documentation have been raised and will also be subject to more scrutiny by the CA/NB as appropriate.



FDA Breakthrough Devices Program (BDP) and Safer Technologies Program (STeP) for Medical Devices

[ARTICLE] FDA Breakthrough Devices Program (BDP) and Safer Technologies Program (STeP) for Medical Devices

Launched in 2016, the FDA Breakthrough Devices program (BDP) is intended to provide patients with more rapid access to medical devices that are foreseen to enable a more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions.
 
The new FDA Safer Technology Program (STeP) which is operational since March 2021, aims to accelerate patient access to medical devices that are expected to improve the safety of treatments targeting diseases that are less serious than those qualifying for the existing BDP.
 
A BDP or STeP designation for a device notably allows companies to benefit from additional FDA input, flexibility with regards to clinical study design and quality system and manufacturing information requirements, and prioritized review during the premarket phase; and can therefore considerably diminish the time necessary for US market approval.
 
This article will review the principles, features, requirements, application processes, and benefits, of both programs.
 
 

The Breakthrough Devices Program (BDP)

 

The FDA Breakthrough Devices Program (BDP) is a voluntary program intended to ensure patients with timely access to certain medical devices and device-led combination products that provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions. It is available for devices and device-led combination products subject to review under a premarket approval notification (PMA), premarket notification (510(k)), or De Novo classification request (“De Novo Request”).
 
Companies designated for the BDP benefit from additional feedbacks from the FDA during the premarket phase, although the designation does not change the statutory standards for PMA, 510(k) clearance, or De Novo marketing authorization. The Breakthrough Devices Program replaced the previous Expedited Access Pathway (EAP) and Priority Review for medical devices.
 
The FDA has issued a guidance document on the Breakthrough Devices Program that provides detailed information on the program principle, on the procedure for designation request, and on the program features.
 
Devices are eligible for breakthrough device designation if both of the following criteria are met:

  • The first criterion is that the device provides for more effective treatment or diagnosis of life-threatening or irreversibly debilitating human disease or conditions.
  •  The second criterion is that the device also meets at least one of the following:

 
a) Represents breakthrough technology
 
b) No approved or cleared alternatives exist
 
c) Offers significant advantages over existing approved or cleared alternatives
 
d) Device availability is in the best interest of patients
 
When a device is granted the Breakthrough Device Designation, the manufacturer is ensured direct interactive communication with a sufficient number of well-trained FDA staff, including senior management, with expertise in the application of the BDP.
 
Interaction with the FDA to obtain feedback on the device development is managed through a variety of options, including “sprint” discussions (i.e. discussions with the goal of reaching mutual agreement on a specific topic within a set time frame (e.g. 45 days)), request for discussion on a Data Development Plan, and request for discussion to reach clinical protocol agreement.
 
With regards to the last aforementioned point, the FDA will take steps to ensure that the design of clinical trials is as efficient and flexible as practicable. It will, for instance, allow the study design to be adapted during the clinical study and/or approval process.
 
Moreover, the FDA may allow for part of non-clinical and clinical data to be collected in the post-market phase, provided there are no major safety concerns. In addition, with the BDP designation there is also a prioritized review of regulatory submissions, including Q-Submissions, Investigational Device Exemption (IDE) applications, and marketing submissions.
 
Finally, for PMA submissions that typically require a preapproval inspection, the FDA intends to expedite the review of manufacturing and quality system compliance for BDP-designated devices.
 
If the manufacturer can show compliance with the statutory and regulatory requirements by other means than submitting the all the items listed in the FDA guidance “Quality System Information for Certain Premarket Application reviews”, the FDA may accept less quality and manufacturing information. This may occur for instance when the manufacturer has a good track record for quality system compliance and that no new manufacturing issues that could negatively affect product quality or performance are identified. In appropriate cases, the FDA may decide it is acceptable to conduct the inspection of the manufacturing sites after the device has been approved through the BDP.

How to apply for the Breakthrough Devices Program?

 

To apply for the BDP program, manufacturers shall submit a special Q submission named “Designation Request for Breakthrough Device”. The submission should provide information to describe the device, the indications for use, regulatory history, and it should explain in details the rationale why the device meets the requirements to be eligible for the program. If other requests for FDA feedback are concomitantly pending, manufacturers should consider submitting them after the FDA renders the BDP designation decision as a BDP designation may affect the feedback that FDA provides on the other requests.
 
The FDA will issue a decision on the BDP designation within a maximum of 60 calendar days, and request any additional information it may require within 30 days. The BDP designation request typically takes the form of an approximately 30 page submission file and usually requires a few weeks for preparation, if necessary with the support of a consulting firm.
 
Despite a report that the FDA may be open to making public devices having received BDP designations in the future, the decision to do so remains for the moment at the discretion of the manufacturers participating in the program.
 
It is therefore difficult to obtain reliable data on how frequently BDP designations are solicited and granted. Nonetheless, according to an article published in May 2020 by MedTech Dive who was able to obtain data relating BDP designations from the FDA, there were 11 devices awarded with a BDP designation in 2016, 19 in 2017, and 55 in 2018, 136 in 2019 and 50 and in 2020 as of May.
 
Thus, the BDP program is increasingly gaining popularity, showing roughly a two-fold increase in BDP designations per year since the launch of the program in 2016. Of these, five BDP-designated devices received full marketing authorization in 2019 (three PMAs, one 510(k), and one De Novo).
 
No information regarding the number of devices that won final marketing authorizations under the program in 2020 could be retrieved. Nonetheless, this number is expected to increase proportionally to the number of granted designations.
 
 

The Safer Technology Program (STeP)

 

The new Safer Technology Program (STeP) for Medical Devices was designed as a complement to the BDP. The STeP is highly similar to the latter, but tailored for medical devices and device-led combination products that are reasonably expected to significantly improve the safety of treatments targeting an underlying disease or condition less serious than those qualifying for the BDP.
 
These may include for example devices intended to treat or diagnose non-life-threatening or reversible conditions. As for the BDP, STeP is also available for devices and device-led combination products subject to review under a premarket approval notification (PMA), premarket notification (510(k)), or De Novo classification request (“De Novo Request”). The FDA issued the final guidance on the Safer Technologies Program on January 6th 2021, and anticipated accepting program entrance requests as of March 8th, 2021.
 
For a device to be eligible for STeP designation, it should meet the following criteria:

  • The first criterion is that the device should not be eligible for the Breakthrough Devices Program (BDP) in reason of the less serious nature of the disease or condition treated, diagnosed, or prevented by the device; and
  • The second criterion is that the device should be reasonably expected to significantly improve the benefit-risk profile of a treatment of diagnostic by means of substantial safety innovations that provide for at least one of the following:

 
a) A reduction in the occurrence of a known serious adverse event,
 
b) A reduction in the occurrence of a known device failure mode,
 
c) A reduction in the occurrence of a known use-related hazard or use error, or
 
d) An improvement in the safety of another device or intervention
 
Similarly to a BDP designation request, manufacturers should apply for a STeP designation by submitting a Q-Submission requesting inclusion in the STeP program. This request should be highlighted in the accompanying cover letter. The request should provide information to describe the device, the expected safety improvement, the indications for use, regulatory history, and justification as to why the device meets the specific STeP eligibility factors.
 
More information on the contents of a Q-Submission Request for inclusion in STeP may be found in appendix I of the STeP final guidance. Once the program will be operational, the FDA intends to request any additional information it may require on the request for inclusion in STeP within 30 calendar days, and to issue its final decision within 60 days.
 
Once a device is designated for the Safer Technology Program, the manufacturer can choose to interact with the FDA through the same options as for the BDP, including interactive and timely discussions with FDA staff, senior management engagement, early engagement on Data Development Plans, and sprint discussions. Similarly as within the BDP program, the FDA will also allow for a certain degree of flexibility on clinical trial design and for the collection of non-clinical and clinical data.
 
In appropriate cases, the FDA also intends to expedite the review of manufacturing and quality system compliance for STeP designated devices by demanding less quality system and manufacturing information, or waiving the requirement for a preapproval inspection of the manufacturing sites.
 
As the STeP program is not yet operational at the time of writing this article, no data is currently available regarding the number of STeP designations and approvals.
 
In summary, the FDA Breakthrough Devices and Safety Technology Programs provide considerable advantages that can significantly reduce the time for US market access for devices fulfilling either set of specific inclusion criteria described above. It shall be emphasized that the BDP and STeP programs are complementary and will run in parallel. The BDP addresses devices that provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions, whereas the STeP is intended for devices expected to increase the safety of treatments or diagnosis of less serious diseases. Once designated for either of the programs, the manufacturer can expect interactive and timely interaction with the FDA, senior FDA management engagement, priority review, and flexibility with regards to the pre/postmarket balance of data collection, clinical study design, and quality and manufacturing information requirements.
 
 

How Medidee can help

 

Does your medical device potentially meet the criteria for inclusion in the BDP or STeP programs? Our dedicated US market specialists at Medidee are well-experienced with the Breakthrough Devices Program, and may assist you determining whether your product qualifies for inclusion in the BDP or STeP programs, in preparing and submitting your BDP or STeP designation request, and in subsequent interactions with the FDA once the designation is granted. Contact us now!

 

This article was written by Dr Jérôme Randall.


Biological Safety Assessment

[ARTICLE] ISO 14155:2020 changes to be aware of when planning, designing or conducting a clinical investigation

The new ISO 14155:2020 - Clinical investigation of medical devices for human subjects – Good Clinical Practice was released in July 2020. This third edition supersedes the 2011 version, which was updated as to conform with the upcoming MDR.
 
ISO 14155:2020 is expected to be harmonized rapidly without content deviations as it is the European Commission’s priority to provide a reference standard to support the provisions of the MDR pertaining to clinical investigations.
 
Therefore, the Annex Z showing the correlation between the requirements of the standard and those of the relevant Directives and Regulation should soon be released by the CEN (European Committee for Standardization) for harmonization under the European Directives 90/385/EEC for active implantable medical devices (AIMDD) and 93/42/EEC for medical devices (MDD), and under the European Regulation 2017/745 for medical devices (MDR). No official transitional period has been communicated for this updated standard, and thus it is considered applicable as of its date of publication.
 
 

Changes induced by the new ISO 14155:2020

 
Aside from the main documentary changes listed in the foreword of the standard, the major changes to be aware of when planning, designing or conducting a clinical investigation are:
 

    • Clinical investigation is now 2.0: ISO 14155:2020 discusses the opportunity for remote monitoring, the acceptability of digital signature for informed consent forms and the validation process for eCRFs systems.

 

      • Clinical investigations must be registered in a publicly accessible database, such as clinicaltrials.gov. The registration must be updated and results must be published after the completion of the investigation. Previously, certain countries required registration, whereas others did not.

 

    • It is now an obligation to publish the investigation’s results, whether positive, inconclusive or negative. Previously, the standard only encouraged sponsors to do so.

 

    • New concept of Serious health threat as a signal that indicates an imminent risk of death and requires immediate actions to be taken by the sponsor and/or the investigator.

 

    • Clinical investigations, like all other medical devices related processes, should be planned, designed and conducted following a risk-based approach. Whether it is related to monitoring or adverse events reporting, risk management activities should be performed throughout the process of a clinical investigation. The newly added Annex H specifies the ties with ISO 14971.

 

    • Description of the feedback loop with clinical evaluation and risk management activities, such as the use of the clinical evaluation to justify the clinical development stage, and the clinical investigation design and the update of the benefit-risk analysis.

 

    • Clinical quality management is reinforced, including CAPA process.

 

    • The selection of the investigation site should be performed carefully, as it is now specified that facilities should be representative of the intended use environment.

 

    • In case of device deficiencies, the sponsor is now prompted to recover and analyse the faulty device.

 

    • Contract Research Organizations (CROs) should be qualified suppliers of the sponsor, according to the sponsor’s QMS.

 

    • The newly added Annex I brings welcome clarifications on the applicability of the requirements of this standard to the different clinical development stages and includes a useful table for the planning and design of clinical investigation in all phases of the medical device lifecycle.

 

    • The sponsor must select a local representative if the sponsor is not located in the country of the study. Previously, this was requested by certain local regulations, but not in all countries.

 
 

As a medical device manufacturer, we recommend you start your transition today:

 

  1. Plan and document your transition activities;
  2. Implement ISO 14155:2020 in your QMS and perform a gap analysis to identify any shortcomings with the requirements of the new standard;
  3. Provide internal training on the new standard and affected SOPs (related processes such as risk management, clinical evaluation, CAPA, etc. are particularly relevant to consider);
  4. Review / Update templates for future clinical investigations (Clinical Investigation Plan, Investigator’s Brochure, etc.);
  5. Validate your eCRF system if not already done;
  6. Update contracts with your CRO and make sure they are formally qualified as a supplier.

 
This article was written by DR Jérôme Randall.
 
If you are eager to learn more about the changes incurred and gain knowledgeable insights on the application of this standard for clinical investigation planning, design, and conduct, make sure to join our ISO 14155:2020 online training, recognized by Swissethics for Investigator & Sponsor-Investigator Levels
 
Furthermore, as a Contract Research Organization (CRO), Medidee will assist you with all aspects of your clinical investigation activities, from creating and submitting Clinical Trial Applications to Ethics Committees and Competent Authorities, through to initiating, monitoring and writing Clinical Investigation Reports. Contact us now!